I sort logs by hostname, but often the hostname field is wrong, containg a program name (from some solaris hosts) or a severity level (some network devices). Would it be possible to add a macro for the client IP/hostname? Instead of logging like this: destination hosts { file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY" owner(root) group(logs) perm(0644) dir_perm(0755) create_dirs(yes)); }; I could log like this: destination hosts { file("/var/log/HOSTS/$gethostbyaddr/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY" owner(root) group(logs) perm(0644) dir_perm(0755) create_dirs(yes)); }; This way, /var/log/HOSTS/unixbox gets the log that the host "unixbox" sent even if the message itself is formatted incorrectly. Man I wish I knew C and could supply patches. Maybe I'll finally apply myself to the K&R C book soon and see what I can churn out ;) -- Nate "Mac users swear by their Mac, PC users swear at their PC."